This threat hides itself by using a folder icon. It’s
also a trick to fool unknowing users into executing it.
After it has been launched, it creates three
directories in %windir%system32 in one of which it copies itself and drops
several files. It sets the hidden and system attributes to these folders so
they remain hidden from normal users.
In order to execute at every system boot it creates a
shortcut of itself in the users Startup folder and checks its existence
After installation, the malware remains resident in
the memory and monitors user activity. It also checks the internet connection
from time to time and if it’s available it tries to download new updates of
itself. Sometimes new malware are downloaded as well.
Trojan.Spy.Agent.NXS also presents backdoor
capabilities. Remote commands can be executed on the users machine through it,
but a permanent connection to an attackers server is not available.
After execution, this Trojan drops two files:
%windir%system32cabpck.dll and %windir%system32krnlcab.sys. Cabpck.dll is
executed and the initial file it has been ran from, which is packed with a
custom packer that pretends to be UPX, is deleted.
Krnlcab.sys is a rootkit component, set to execute as
a system service. It has protective role, hiding all the files and registry
entries of the malware.
Cabpck.dll is executed at startup by means of the
registry as well. Other keys are created for the malware to run in safe mode as
well. It is creating firewall exceptions for rundll32.exe as well, in order to
execute itself unhindered.
Trojan.Banker.LCG tries to steal user passwords by
accessing sensitive areas in the registry which hold encrypted user data.
It has usually as a webserver from which it receives
instructions. The communication is done through a script which can run multiple
jobs on the host computer. It can download and execute different versions of
the rogue antivirus “XP Antivirus”, update the windows hosts file or execute
other administrative commands.
We all remember Trojan.Exploit.SSX
which used Trojan.Exploit.JS.RealPlr.S as an
obfuscator right? Well, this time, Trojan.Exploit.JS.RealPlr.S is
replaced by Trojan.Exploit.ANNZ which is
This time it downloads something different
with the name “help.exe“,
that is detected as
Also some new Rogue antivirus is trying to
spread its wings, with not much success however. Trojan.FakeAlert.ACJ is
actually a website that offers you a free scan with this rogue product, called:
AntiSpywareMaster, TrustedAntivirus, PCVirusless or
SpyGuardPro. After the fake scan, it will ask you to download these
applications. Once on your computer, they act just like any other rogue
security product, nagging with fake infection, asking you to buy the software.